A Twitter handle of anonymous hackers (who claim to be a group) by the name Lulzsec India have tweeted about a vulnerability involving 22,000 Aadhaar and PAN cards. They have refused to provide further information till the vulnerability is patched. The screenshot they have tweeted appears to show numbered folders and image documents of an Aadhaar card and the name “Kamlesh Tiwari” written by hand – which could be the scan of a signature.
The breach does not appear to be a website vulnerability, but a poorly coded server related to PAN applications, that allows malicious hackers unlimited file management access over ftp. As of now, it is not known which server this information is on and the group refuses to reveal further details till the vulnerability is fixed. (Note: MediaNama is not publishing the link to the tweet, as it contains unredacted information about the Aadhaar in the image.)
“We all live in country where cyber security made stronger only by court orders and useless statements of denial and not secure coding practices.” said Lulzsec India when approached via private messages for more information related to the breach.
Other security issues reported by Lulzsec India include vulnerabilities that allowed logging into the Rajya Sabha server and that ISRO Bhuvan Mapper was running on 7-year-old server code and was vulnerable to all the security issues that had been revealed in that time.
Some instances of website or application breaches
- July 28, 2017 – Abhinav Srivastava, co-founder of Quarth technologies created an “Aadhaar e-KYC” app that accessed the UIDAI API without authorization.
- September 10, 2017 – During the Kanpur Fake Aadhaar Enrollment scam, the enrollment software was found to be reverse engineered to bypass iris scan authentication for operators.
- January 4, 2018 – The Tribune had reported access to Aadhaar data could be purchased for as little as Rs. 500 on social media.
- January 4, 2018 – The Quint reported that data admins could create other data admin accounts at discretion – without any checks.
- January 9, 2018 – The UIDAI suspended the access of 5,000 officials for the UIDAI database without authorization (after the Tribune breach report, but apparently separate from both The Tribune and The Quint reports, as these were officials who had access – without authorization? – that got blocked)
- January 12, 2018 – French security researcher “Elliot Alderson” reported vulnerabilities in the mAadhaar app
Some other large breaches of Aadhaar data
- May 2, 2017 – CIS India reported that details of around 130-135 million Aadhaar Numbers, and around 100 million bank numbers have been leaked online by just four government schemes alone.
- July 9, 2017 – An independent website called MagicAPK (since removed) was leaking data of 120 million Jio customers. Querying the website by phone number returned details such as name, email, circle, SIM activation date and Aadhaar number. While Jio denied the data as unauthentic, it was independently verified by many people. Initial subscribers were more affected.
- July 20, 2017 – The government admitted that around 210 government websites had been leaking sensitive information including Aadhaar.
- January 5, 2018 – India Today had published a sting operation that showed that details of Aadhaar card applicants could be obtained from enrollment agents for as little as Rs.2 – 5 per applicant.